CVE-2026-41128
Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. Version 5.9.15 contains a patch.
| CWE | CWE-862 |
| Vendor | craftcms |
| Product | cms |
| Published | Apr 21, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms cms
Be the first to know when new unknown vulnerabilities affecting craftcms cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
craftcms / cms
>= 5.6.0, < 5.9.15